Sign up to our newsletter
The latest security news direct to your inbox
Several years ago when I first saw an e-Card, the first thing that I thought was that these would become a very successful tool for social engineering attacks designed at spreading malicious software. The current wave of “storm worm” spam uses this exact tactic. Emails such as the following are how users are tricked into running malicious software.
Subject: You’ve received an ecard from a School mate!
Hi. School mate has sent you an ecard.
See your card as often as you wish during the next 15 days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your
card’s direct www address below while you are connected to the Internet:
Or copy and paste it into your browser’s "Location" box (where Internet
We hope you enjoy your awesome card.
Wishing you the best,
I could go into the obvious signs that this is not legitimate, but the real problem is that e-Cards, etc. teach people to take candy from strangers.
Take a look at the dynamics of the e-Card scheme. To start with you go to a web site run by a company you probably know nothing about. Next you give them your friend or family member’s email address, generally without knowing if this will be used for spamming. The person then receives an email from someone who claims to have something they want and claims it is from someone they know. This works a few times. The recipient gets used to seeing nice things called “e-Cards.” The bad guys know how this works.
The average user is not going to see the difference between “Frank has sent you an e-Card” and “You’ve received an ecard from a School mate!”
Effectively, without thinking about it, by sending e-Cards we teach people to become victims. It’s like giving a stranger a piece of candy and asking them to deliver it to a child. People become conditioned to click on links in email that more and more frequently result in the infection of their computers.
Because of the horrendously bad computing habits e-Cards and e-Vites teach I refuse to use them. I will not participate in teaching people to become victims.
Director of Technical Education
Author ESET Research, ESET